from the because-it-can dept

This won't come as a huge surprise, I would imagine, but the telephony metadata dragnet collection that has to be renewed every few months "expired" today and was promptly reapproved by the FISA court, because "fuck you, that's why." That's not quite what they said, but consider it the bureaucratic-speak equivalent, coming from the Director of National Intelligence:

Previously on several occasions, the Director of National Intelligence declassified certain information about this telephony metadata collection program in order to provide the public with a more thorough and balanced understanding of the program. Consistent with his prior declassification decision and in light of the significant and continuing public interest in the telephony metadata collection program, DNI Clapper has decided to declassify and disclose publicly that the government filed an application with the Foreign Intelligence Surveillance Court seeking renewal of the authority to collect telephony metadata in bulk, and that the court renewed that authority.

The administration is undertaking a declassification review of this most recent court order.

Of course, it's true that last month, the previous order rubber-stamping this approval was declassified and revealed. Even though the same thing has been rubber stamped every few months for at least the past seven years, this time there was an attempt at a full justification for why it made sense. Of course, since it was a one-sided situation, without any adversarial hearing or opinion, it allowed the FISA court to make up its own rules and completely contradict the Supreme Court (to whom it's supposed to listen). It seems highly doubtful that the eventual declassified version of this rubber stamp will be any different than the last one.

Of course, in the last three months, we've also learned that this program of collecting data on every phone call in the US has been necessary to stop precisely zero attacks in the US -- but it did apparently lead them to a taxi driver sending some money to some not very nice people in Somalia. And, because of that, the NSA gets to keep track of everyone's phone calls. As has been explained repeatedly, this seems to go against not just the spirit and intended purpose of the 4th Amendment, but the plain language of that same Amendment. But, the FISA court has earned its rubber stamp reputation for a reason, and apparently it's not about to give up on it.

from the not-how-it-works dept

We recently wrote about the City of London Police ordering various registrars to shut down a list of websites based on the City of London Police themselves deciding they must be illegal. That is, without a court order or any judicial oversight, the police just decided the sites were illegal and needed to be taken offline. On top of that, the police force's new "IP Crime Unit" threatened registrars that if they didn't obey, then they might lose their accreditation from ICANN. This was based on a total misreading of both copyright law and ICANN's rules.

In fact, Mark Jeftovic, the head of EasyDNS, the one registrar that appears to have both refused the City of London Police's demand and also spoken out publicly about this terrible attack on due process, is now noting that all of the other registrars who complied with the orders are almost certainly in violation of ICANN's policiesbecause they obeyed the police. The main issue is that part of the demand from the police was that the registrar not only redirect the site to a propaganda page, but that it also "freeze the whois record" to block any further changes.

But, as Jeftovic points out, ICANN has very specific rules about these things, and because some random police force demands it is not an approved reason to do such a thing:

Since there were no charges against any of the domains and no court orders, it may be at the registrars' discretion to play ball with these ridiculous demands. However – what they clearly cannot do now, is prevent any of those domain holders from simply transferring out their names to more clueful, less wimpy registrars.

Section 3, Obligations of The Registrar of Record clearly spells out the reasons why a registrar may deny a transfer-out request, and they are limited specifically to cases of fraud (the domain was paid for fraudulently), a UDRP proceeding or, hey, get this one "Court order by a court of competent jurisdiction", as well as some administrative reasons (like the domain was registered less than 60 days ago).

What is conspicuously absent from the list of reasons why a registrar that actually complied with this lunacy can now deny a transfer-out request is "because some guy sent you an email telling you to lock it down".

Jeftovic further notes that the registrars who folded upon receiving the police threat have now opened themselves up to significant liability problems, because the sites that got taken down can respond via the Transfer Dispute Resolution Policy (TDRP), which could mean that the registrars will have to pay "substantial" fees for blocking the transfer without a valid basis.

It certainly would be interesting to see the full list of sites the City of London Police decided to censor, as well as who the various registrars are, and how they reacted. While such a list doesn't appear to be out yet, I imagine it's only a matter of time.

from the checks-and-balances dept

Asked repeatedly for comment over the past several weeks, most recently on Thursday, the C.I.A. declined. But on Friday, the C.I.A. responded with a statement, the first public acknowledgment that Mr. Snowden had worked for the agency.

“The C.I.A did not file any report on Snowden indicating that it suspected he was trying to break into classified computer files to which he did not have authorized access while he was employed at the C.I.A., nor was he returned home from an overseas assignment because of such concerns,” Todd Ebitz, an agency spokesman, said in the statement.

This contradicts what the NY Times had reported on Friday -- and while it appears someone is not being particularly honest, we'll take back the story as well. Original below -- but crossed out.

The NY Times has an interesting report, claiming that investigators looking back through Ed Snowden's history, discovered that he was written up back in 2009, while working for the CIA, in Geneva, for "trying to break into classified computer files to which he was not authorized to have access." It was for this reason that he was sent home, and moved on to a new job, as a contractor for the NSA. The report notes that the writeup -- known as a "derogatory report" -- was considered somewhat minor, and wasn't shared with folks at the NSA.

What's interesting about this is that it at least suggests that Snowden has been considering all of this for quite a long time. Back in June, he had told Glenn Greenwald and Laura Poitras that his time in the CIA "disillusioned" him, and a colleague of his in Geneva apparently said recently that Snowden "was already experiencing a crisis of conscience of sorts" when she knew him back then. This seems interesting on a variety of levels, as it further highlights that Snowden didn't take the decision he made to be a whistleblower lightly. Plus, he had a long time to think things through, which supports the claims that Barton Gellman recently made, concerning Snowden's larger view of what he was doing.

from the urls-we-dig-up dept

Which of these are berries: bananas, watermelon, avocado, strawberries? Surprisingly, all of them, except strawberries. According to the botanical definition, a "berry" is a fleshy fruit that's produced from a single ovary. Strawberries are actually "accessory fruits" which consist of many small individual fruits embedded in a fleshy receptacle. The "seeds" that you see on the surface of strawberries are the actual fruits, and each of them surrounds a tiny seed. Here are some more strawberry-related links.

from the incompatible dept

An interesting bit of fallout from the NSA revelations: the EFF has resigned from the Global Network Initiative, a big coalition of public interest groups, academics, investors and companies that are trying to advance concepts of freedom of expression and the right to privacy around the globe. The group is pointing out that the forced gag orders on the tech companies who are a part of GNI mean that it is now uncomfortable having its name associated with the group. The fear is that if the companies can't speak freely about what's going on, it harms the overall mission of GNI.

EFF has been a civil society member of the multi-stakeholder human rights group since GNI was founded in 2008 to advance freedom of expression and privacy in the global information and communication technologies sector. While much has been accomplished in these five years, EFF can no longer sign its name on joint statements knowing now that GNI's corporate members have been blocked from sharing crucial information about how the US government has meddled with these companies' security practices through programs such as PRISM and BULLRUN.

"We know that many within the industry do not like or approve of such government interference, and GNI has, in statements, made it clear that member companies want permission from the US government to engage in greater transparency," EFF's International Director Danny O'Brien and Director for International Freedom of Expression Jillian C. York write in a letter to GNI leadership. "However, until serious reforms of the US surveillance programs are in place, we no longer feel comfortable participating in the GNI process when we are not privy to the serious compromises GNI corporate members may be forced to make. Nor do we currently believe that audits of corporate practice, no matter how independent, will uncover the insecurities produced by the US government's—and potentially other governments'—behavior when operating clandestinely in the name of national security."

While this may be more symbolic than anything else, it highlights the wider breakdown in trust that the NSA's overreach has brought about. The NSA and its defenders like to pretend that there's no downside to their dragnet surveillance efforts, and the secrecy that encases every program. But it has a very real impact for so many people, organizations and companies.

from the super-villain dept

If anyone knows how to be polite, genteel, and appropriate, it's certainly me. That falsehood said, it's become increasingly difficult to keep up on what's considered polite and what isn't in this digital world. Still, one can try to keep up. So, after much trial and error, I now know it is not okay to take a dinner companion's phone when he's in the bathroom and use his Facebook app to vicariously profess his love for a mutual friend's wife. Likewise, thou shalt not turn absent co-workers' desktop backgrounds to photoshopped images of Martha Stewart's head on Hitler's body. You just don't do those things.

But even I don't require any practice to know that I shouldn't hijack my customers' Twitter accounts without their knowledge to pimp my own wares. Yet it seems this seemingly low-level of comprehension eluded the New York Comic Convention.

Fans, celebrities and press attending New York Comic Con on Thursday sent out laudatory tweets expressing excitement to be at the annual convention — or at least it looked like they did, as the tweets were published entirely without their permission or knowledge.

The tweets were tied to attendees' NYCC badges. This year, conference organizers Reedpop allowed people to pre-register their badges online. The badges have radio-frequency identification (RFID) chips that are tied to a user's identity in order to curb counterfeits. Attendees were then invited to connect their social-media accounts to their badge, although it wasn't explicitly stated that NYCC could post to Facebook or Twitter on their behalf. As people checked in to the convention on Thursday, many published tweets looked authentic (and were written in conversational language), but were not written by attendees.

Those tweets were basically ecstatic exclamations about how great the NYCC is, how excited the tweeter was about attending certain functions therein, and ostensibly about how the NYCC had simultaneously cured cancer and ended global terrorism as we know it. The point is that attendees, who may or may not have been as excited as their hijacked Twitter accounts suggested, weren't exactly pleased to find themselves being turned into ventriloquist dummies by the convention. Many of those same Twitter accounts that had been hijacked were suddenly tweeting back to the convention's Twitter account with angry complaints. As a result, the NYCC issued this statement:

As you may have seen yesterday, there were some posts to Twitter and Facebook issued by New York Comic Con on behalf of attendees after RFID badges were registered. This was an opt-in function after signing in, but we were probably too enthusiastic in our messaging and eagerness to spread the good word about NYCC. We have since shut down this service completely and apologize for any perceived overstep. Please accept our apologies and have an absolutely excellent time this weekend. -Your friends at NYCC

Allow me to translate this for you: "Since you didn't magically understand that this opt-in service doesn't involve us informing you of exactly what you're opting into, please accept our sardonic and barely sincere apology and just go read some comics or whatever." When the entire premise of your "apology" is a lie (it isn't opt-in when you hide what is being opted into), it loses the moniker of apology and will instead be identified as bullshit. Pretty ballsy when you consider that the convention goers, celebrity attendees, and those actually buying booths at the convention encompass approximately all your customers. Enjoy the publicity, NYCC!

from the nice-work-guys dept

The MPAA's lawsuit against IsoHunt is still going on, and the latest shenanigans from the movie studios (yet again) raise significant questions about the (lack of) care with which they handle these cases. They often seem to act as if it's so self-evident that any torrent search engine or cyberlocker is evil that they don't really have to be that careful in actually proving their case. The latest, found via TorrentFreak, is that the evidence the MPAA is using to try to prove direct infringementdoesn't seem to show any infringement, because the evidence isn't what they claim it is. Beyond failing to provide the necessary documents in a timely manner for discovery, now that the MPAA has finally produced the evidence, it appears completely screwed up. IsoHunt wanted to look through the details of the claims of direct infringement to see whether or not the movie studios had uploaded the works themselves, or if any of the downloads were also from the studios. The MPAA delayed handing over such information and when it finally sent a hard drive along with a corresponding explanation, the details didn't match up.

Plaintiffs' BT_ID List identifies dot-torrent file 2224 as corresponding to Plaintiffs' work "Legends of the Fall."

Plaintiffs produced a copy of a dot-torrent file named "2224.torrent" on September 19, 2013. But opening the dot-torrent file "2224.torrent" in a BitTorrent client causes it to begin attempting to download a copy of a work entitled "Buddha Bar - Vol 4."

The target file of the 2224.torrent file could not be downloaded.

Plaintiffs' BT_ID List identifies dot-torrent file 3630 as corresponding to Plaintiffs' work "Seven Years in Tibet."

Plaintiffs produced a copy of a dot-torrent file named "3630.torrent" on September 19, 2013. But opening that dot-torrent file in a BitTorrent client causes it to begin attempting to download a copy of a work entitled "Transformers."

On September 28, 2013, I launched the dot-torrent file "16170.torrent" using the BitTorrent client uTorrent, which downloaded eighteen files from the Internet. I reviewed each of the files and determined that none of them is the movie "Lords of Dogtown." Indeed, none of the files is a video file. Rather, the downloaded files comprise sixteen mp3 audio files, an m3u file (which when opened plays each of the sixteen audio files in sequence), a .sfv file (which I understand contains information to verify that files are uncorrupted), and a .nfo file that contains textual information about the audio files. Launching the 16170.torrent file using a BitTorrent client results in a download of audio files identical to the content files Plaintiffs actually produced on their hard drive on September 19, 2013.

There's more like that. IsoHunt's legal team points out that the MPAA has yet to actually produce any documents that are "sufficient to accurately identify their works," and that it will take a fair bit of time to actually look through all 2,000 torrent files and check whether the they actually lead to the works claimed -- an impossible task in the amount of time IsoHunt has to respond to all of this.

I know that the MPAA likes to assume these sites are clearly guilty with no chance of being proven innocent, but you'd think the least they could do is not muck up the actual evidence.

from the got-that-backwards dept

Way back in 2005, we wrote a story about a ridiculous situation in which a group of students were suspended after filming an angry teacher go on a bit of a tirade, screaming at students and yanking the chair out from under one of them. Rather than discipline the teacher, the school suspended the students. This was way back before it was that common for everyone to have phones with cameras in them (back when people still called them "cameraphones" and mocked them) and before social media made it so easy to widely distribute such images and videos. You'd think, given nearly a decade of time to get used to the concept that we wouldn't see a similar story pop up... but that's not the case apparently. 10 students in California have been suspended from their high school for posting, sharing or commenting on an image that appears to be their principal putting a student into a choke hold:

There is some dispute about what's happening in the photo. The principal, Todd Whitmire, claims that the girl was involved in a fight, and he had separated her from others, "and she began struggling and I was pushing her away to get her away from the area and she fell down." The girl, Ashley Johnson, a 9th-grader at the school, disputes this, is wearing a neck brace and claims that Whitemore injured her neck. Either version of the events may be plausible, but no matter what the truth is, it's ridiculous to suspend students for posting, sharing or commenting on the photo. Yet that's what the school did. Whitmire claims that the original posting of the image wasn't the problem, but "keeping it alive" or making "negative comments" somehow constitutes "cyberbullying."

Principal Todd Whitmire said it wasn't the posting of the photo that got the suspended students in trouble but rather the comments that were added to the photo, which he said amounts to cyberbullying through a social network. The two students who fought were also suspended earlier this week for their actions as called for under the state education code.

"It was the reposting, the retweeting, and keeping it alive and assigning negative comments to it and creating a hostile environment" for the girl, he said Wednesday of the posts that followed Friday's on-campus fight.

This is shameful. It seems abundantly clear that the school is trying to stifle free expression and free speech -- and they flat out admit that fact, but hide behind the claim that it's "cyberbullying." Cyberbullying of who? The principal? Really? If you're going to be an administrator in a public high school, you need to have a slightly thicker skin than to suspend students for saying some mean things about a photo of you.

from the you're-supposed-to-BE-the-oversight,-not-PREVENT-it dept

More evidence keeps surfacing showing Intelligence Committee members are simply jerking around their fellow Senate and Congress members when it comes to providing the documents needed to provide oversight for the NSA. Tony Romm's engrossing article for Politico refers to this deliberate obfuscation (tactfully) as "some limits," but adding what's been newly discovered to what we already know shows that the heads of the Intelligence Committees aren't really interested in collaborating with their colleagues to provide credible oversight.

The White House is its own problem, continually insisting (along with national intelligence officials) that everyone, both in the Congress and Senate, has had access to all pertinent briefings, rulings and other needed info -- even when it knows for a fact this information has not been disseminated. This helps the administration maintain its narrative of a well-oiled intelligence machine operating with the explicit permission of its oversight and allows the blame to be shifted elsewhere. If the American public is angry about the NSA's programs, the White House wants to aim that at legislators, rather than the NSA and administration.

If it's not Mike Rogers and Dutch Ruppersberger stashing documents or scheduling briefings at inconvenient times, it's the administration itself handing out "information" that glosses over details that should rightfully concern those charged with oversight.

One Obama administration report provided to lawmakers last year, for example, only opaquely referenced the NSA’s unlawful collection of thousands of Americans’ emails. The document, declassified this fall, didn’t mention that a secret court had rebuked the agency for its misleading statements.

These omissions add up. The picture being presented by the administration isn't complete and points fingers at Congress for lapses in oversight.

The scathing rebuke issued in 2011 by Judge Walton concerning the NSA's repeated abuse of its domestic surveillance capabilities over the previous three years was never seen by most legislators in its entirety until its declassification in August of this year. James Clapper has insisted lawmakers have already seen all pertinent information regarding the NSA's bulk collections, but Politico points out that this statement simply can't be true.

The Obama administration’s communication with the Hill, however, didn’t tell the story of an agency rebuked by the FISA court in 2011 for “a substantial misrepresentation regarding the scope of a major collection program.”

Instead, lawmakers got only one paragraph about the mishap, which had been obscured with technical details about “multi-communication transactions.” Meanwhile, the administration touted the incident as a case study defending the NSA’s existing oversight mechanisms.

Making matters worse is the limitations surrounding any revelations being brought to the attention of legislators. In addition to the obfuscation and stonewalling shown by the leaders of the House Intelligence Committee, legislators are hamstrung by the secrecy surrounding the documents themselves.

[M]any Hill staff sources interviewed by POLITICO noted it may not have been easy for their bosses to digest that report: Lawmakers in many cases weren’t able to bring their own legal advisers or take notes, and they had to view the document in a special part of the Capitol reserved for classified material.

Speaking of Rogers, we already know he withheld documents from House members shortly before voting on the Amash Amendment began and, in his latest move, sent invitations to attend an intelligence briefing to the Congressional junk mail inbox -- a briefing which was held on a Friday afternoon, long after most reps had returned to their districts. As to whether a "critical" document made its way to other members of Congress in 2012, Rogers simply isn't saying.

The chairman of the Intelligence Committee, Rogers, and the panel’s ranking Democrat, Dutch Ruppersberger of Maryland, declined to say whether they even had sent a letter in 2012 informing members there had been a critical document to view. Hill sources say they don’t recall anything of the sort.

The House Republicans held off on holding briefings until two days before the 2012 vote on reauthorizing the FISA Amendments Act. The invitation obtained by Politico makes no mention of the administration white paper detailing the NSA's "erroneous" collection of Americans' data.

On the plus side, the Senate Committee has done a better job (by comparison) at informing other senators, despite Dianne Feinstein's and Saxby Chambliss' unwavering support of the intelligence agency. But even their June 19th briefing invitation glossed over Judge Walton's 2011 rebuke of the agency's three-year run of privacy violations.

In the push for further transparency and (actual) oversight, legislators are finding themselves working against both intelligence committees -- committees that were set up to provide oversight, not run interference for intelligence agencies. Mike Rogers, in particular, has been completely hostile to other members of Congress, turning their attempts to gain knowledge and provide competent oversight into a "sick game of 20 questions," requiring reps to grasp about blindly until they stumble across a relevant question intelligence officials can't dodge.

Unfortunately, the many legislative efforts in the works aimed at reining in the NSA's collection capabilities will suffer from the same opacity, as concerns (mostly exaggerated) about national security will push these markup sessions behind closed doors. And once they're out of the public eye, the defenders of the surveillance state will find it much easier to pitch unsupported claims as justification for continuing "business as usual."

from the not-to-protect-national-security... dept

At a recent event held by the Cato Institute concerning the NSA's surveillance overreach, Washington Post reporter Barton Gellman, who broke the PRISM story and (of course) has been one of the three key reporters on all of the Snowden docs, noted that the feds begged him not to reveal the nine companies listed as participants in the PRISM program. Gellman and the Post refused, noting that the government's reasons for wanting to keep the names out didn't raise any legitimate security concerns, but rather had to do with making life easier for the NSA:

The thing that the government most wanted us to remove was the names of the nine companies. The argument, roughly speaking, was that we will lose cooperation from companies if you expose them in this way. And my reply was "that's why we are including them." Not in order to cause a certain result, or to get you to lose your cooperation but if the harm that you are describing consists of reputational or business damage to a company because the public doesn't like what it's doing or you're doing, that's the accountability we are supposed to be promoting.

Right. That's called journalism: revealing information that the public should know about in order to make its own decisions about what they're doing with their information and privacy, which has been kept from them. Yes, it makes sense for the press to refrain from revealing direct sources and methods of surveillance that create a real national security issue -- but keeping the public in the dark about how the government has been able to compromise these companies isn't a national security issue at all. As we've pointed out in the past, there are plenty of tools in the surveillance toolbox that the public knows exists, which don't make the methods useless any more. For example, traditional phone wiretaps. It's no secret that those exist, and the public can debate the standards under which they're used. And law enforcement still uses them because they're useful.

But that's not what happened with PRISM. Instead, the whole concept was kept entirely secret -- including the overbroad gag orders on the tech companies. That's the troubling part here. There was no ability to have a public discussion over the standards of use. There's a difference between having the press say "wiretaps exist" and "the feds are wiretapping so-and-so right now." The revelation of the PRISM members was more the former, rather than the latter, but the intelligence community keeps pretending it was the latter.

from the doubling-down-on-failure dept

Marcus Ranum wrote
"Information security's
response to bitter failure, in any area of endeavour,
is to try the same thing that didn't work -- only harder."
It seems that this often applies to the entire security field, not just IT.
Here's a timely example.

There have been calls, in the wake of April's bombing at the Boston
Marathon, for increased surveillance of Americans -- already, arguably,
the most-surveilled and most spied-on citizens on the planet, to such an
extent that ex-Stasi staff are likely envious. In particular, there
have been calls for mass (camera) surveillance from
police department officials in Boston and New York City.

These recommendations clearly raise serious issues about
privacy and the Constitution
and the values we hold as a society. Others have written about those
issues more eloquently than I can. But let me break from their approach and
point out something on a much more pragmatic level:

It didn't work.

Let me ask you to consider for a moment the Boston Marathon and all
the video/still cameras that were focused on it, the ones whose images
were in front of the nation nonstop for days. Anyone who's run in or
been to a major distance running event knows that there are cameras everywhere.
There are race operation cameras at the start and finish.
There are TV news cameras, all over the course -- some fixed, some mobile.
There are family/friends of runners and other spectators,
concentrated at the start and finish,
but scattered everywhere along the course, and nearly
all of them have cameras.
There are official and unofficial
race photographers in multiple locations who try to grab still
shots of every runner and then offer them for sale afterwards.
There are
even some runners wearing cameras from time to time.
And then of course
there are all the now-ubiquitous cameras on
stores, banks, parking garages, traffic
signs, and on all kinds of other structures along the way.

We don't know why the those responsible for the attack
in Boston did it; but what we do know is that the attack required a modicum
of planning and intelligence: they weren't entirely stupid.
I submit that there is no possible
way that they did not know that the finish area of a major marathon is
one of the most heavily-photographed areas of the planet on the day of
the event. Yet they not only selected it as their target, they made no
attempt at all to evade the massive number of lenses focused on it.

Thousands of cameras equated to zero deterrent value.

Yes, those cameras certainly helped identify and locate the suspects:
but that is cold consolation to those who lost life and limb, because
they didn't actually prevent the attack.
The upcoming
prosecution of Dzhokhar Tsarnaev, while it might yield some
answers to troubling questions, is not going to help local runner
Carol Downing's daughters
(Nicole Gross suffered two broken legs; Erika Brannock lost
part of one of hers)
recover and rehab and go on with their lives.

A thousand more, ten thousand more, a hundred thousand more
cameras would not help: cameras have no
deterrent value to people who are prepared to die and/or
don't care if they're identified.

There also remains the distinct, disturbing possibility
that the attackers chose the location because they
knew it was so thoroughly covered with cameras. An attack like this
is clearly directed at those present, but if its real purpose
is, as
Bruce Schneier observes,
to attack the minds of hundreds
of millions elsewhere, then it can only reach its targets if the
event is heavily documented and widely disseminated.

To put that point another way: it's entirely possible that adding cameras
to a particular location will decrease public safety -- because
it may make that location more attractive to those who want to make
certain their attacks are captured on video and of course, dutifully
replayed in slow-motion thousands of times
by 24x7 news networks with many hours
of airtime to fill.

This brings up another disturbing point: how is it possible
that senior law enforcement officials don't
recognize such an obvious, major security failure when it's right in front
of them? How can they possibly not grasp the simple concept
that if a thousand cameras failed to stop the Boston Marathon attack,
that ten thousand cameras will fail to stop the next one, and might
even influence the attackers' choice of location?

The answer is thus not to add still more cameras: the answer is to
refuse to give in.
Terrorism doesn't work if its targets -- you, me, and
everyone else -- decline to be terrorized.

Runners have already responded: all over
the country, many of those have never even thought of trying to qualify for
Boston started training for the Boston Marathon 2014 the next morning.
(If there wasn't a qualifying standard for the race, they would probably
receive a quarter million entries next year.)
Fundraisers for
The One Fund
are being organized at races all over the country;
and there is a common banner that will be at at all of them:
"Run if you can; walk if you must; but finish for Boston".

That's how you fight terrorism: you simply refuse to yield to it.
You don't need more cameras, more wiretaps, more spying, more databases,
more secrets, more intrusion. You don't need to declare the Constitution
obsolete, as
NYC Mayor Bloomberg would like to do.
You don't need to cower in fear or to give in to paranoia.
And you certainly don't need to redouble your efforts toward an
approach that's already been demonstrated not to work.

from the suffering-from-threat-inflation dept

Cyberbullying continues to be the topic du jour, especially for school administrators and legislators, both of which feel something needs to be done, even if they both have nothing in the form of hard data showing the threat matches the perception.

I got a call recently from a woman who works for a company that makes an app designed to "keep kids safe" by enabling parents to monitor their texts and social media activities. The pitch included some dire statistics such as "70 percent of kids are cyberbullied" and -- like other companies that make parental-control software -- I was also told that it helps protect kids from strangers who would do them harm.

Actual studies point to much lower numbers, although there's no solid consensus.

The National Center for Educational Statistics reports that 6 percent of students in grades 6-12 experienced cyberbullying. The Centers for Disease Control found in 2011 that 16.2 percent of students had been bullied via email, chat rooms, instant messaging, websites or texting -- compared to 20.1 percent who had been bullied on school property (traditional bullying) -- during the 12 months prior to the survey. The Cyberbullying Research Center reports that "on average, about 24 percent of the students who have been a part of our last six studies have said they have been the victim of cyberbullying at some point in their lifetime."

Dan Olweus, who the editor of the European Journal of Development Psychology referred to as the "father of bullying research" wrote a 2012 article for that journal where he said that "claims about cyberbullying made in the media and elsewhere are greatly exaggerated and have little empirical scientific support." Based on a three-year survey of more than 440,000 U.S. children (between 3rd and 12th grade), 4.5 percent of kids had been cyberbullied compared to 17.6 percent from that same sample who had experienced traditional bullying. An even more interesting statistic from that study is that only 2.8 percent of kids had bullied others.

Because cyberbullying isn't precisely defined, variations are to be expected. But even the most expansive definitions fail to return the scary numbers quoted by those pushing software, policies and legislation.

42% of kids have been bullied while online. 1 in 4 have had it happen more than once. 35% of kids have been threatened online. Nearly 1 in 5 have had it happen more than once. 21% of kids have received mean or threatening e-mail or other messages. 58% of kids admit someone has said mean or hurtful things to them online. More than 4 out of 10 say it has happened more than once. 53% of kids admit having said something mean or hurtful to another person online. More than 1 in 3 have done it more than once. 58% have not told their parents or an adult about something mean or hurtful that happened to them online.

The most surprising thing about these numbers is that the "mean or hurtful" stat isn't closer to 100%. Kids, due to their inherent lack of a developed world view, say "mean or hurtful" things all the time. Trying to portray this as "evidence" of widespread bullying is disingenuous. i-Safe may be a non-profit, but it still sells subscriptions to instructional software through its website. i-Safe has a vested interest in portraying bullying as worse than it actually is.

This startling "fact" is quoted all over the internet and is supposedly pulled from a Hartford County Examiner article. Unfortunately, that stat shows up nowhere in the referenced article and the study itself was performed not by the Examiner, but by the National Crime Prevention Council, home of McGruff the Crime Dog. The actual "stat" quoted by the Examiner says simply, "over 40% of all teenagers with Internet access have reported being bullied online." At some point, someone decided "over 40%" meant "around half," which sounds much more epidemic.

The actual number contained in the NCPC's report is 43%, closer to 40% than "almost half." How did this study manage to come up with a higher percentage than the others Magid quotes? By applying some very loose definitions, much like i-Safe above.

Most commonly, bullying is thought of as a pervasive, consistent activity, not a one-time event. Dan Olweus, "father of bullying research," defines bullying as "aggressive behavior that is intentional and that invoices an imbalance of power. Most often, it is repeated over time." Recent studies like those performed by the NCPC and deployed by i-Safe have upped the number of incidents by weakening the term. While someone might feel "bullied" by a one-off interaction, defining every singular experience as "bullying" dilutes the meaning, leading to the punishment of non-bullies and diverting resources from dealing with real problems.

There are a lot of reasons why exaggerating is bad. For one thing, it causes parents to worry unnecessarily. Of course parents are concerned about their kids use of online technology but focusing on the technology -- instead of the child's social emotional state -- is likely to divert their attention from real issues. And, as Olweus pointed out in this paper, "It may also create feelings of powerlessness and helplessness in the face of the presumably 'huge' and ubiquitous cyberbullying problem.. [and] that fixating on cyberbullying could encourage "an unfortunate shift in the focus of anti-bullying work if digital bullying is seen as the key bullying problem in the schools."

University of Texas at Arlington criminologist Seokjin Jeong analyzed data collected from 7,000 students from all 50 states.

He thought the results would be predictable and would show that anti-bullying programs curb bullying. Instead — he found the opposite.

Jeong said it was, “A very disappointing and a very surprising thing. Our anti-bullying programs, either intervention or prevention does not work.”

The study concluded that students at schools with anti-bullying programs might actually be more likely to become a victim of bullying. It also found that students at schools with no bullying programs were less likely to become victims.

The results were stunning for Jeong. “Usually people expect an anti-bullying program to have some impact — some positive impact.”

i-Safe says 42% have been bullied online, but only 25% have had it happen "more than once." 58% have had something "mean or hurtful" said to them, but only 40% have seen repeat occurrences. There's a huge gap between these single events and pervasive behavior and that gap is being exploited.

The detailed methodology from the Harris Poll powering the NCPC's bullying numbers is no longer posted at its site, but the four-page summary uses the following to define "bullying."

- Someone pretending to be someone else in order to trick them online, getting them to reveal personal information. - Someone lying about someone online. - Pretending to be them while communicating with someone else. - Posting unflattering pictures of them online, without permission.

Between the weak definitions and the inclusion of one-time events, NCPC has watered down "bullying" to define actions that, while temporarily unpleasant and/or embarrassing, are hardly evidence of "aggressive behavior repeated over time."

This isn't to say that cyberbullying doesn't exist and isn't a problem. This is simply to point out that the more worrisome the numbers presented, the more likely there's a narrative or product being pushed that benefits those doing the pushing. The downside, as noted by Olweus above, is that real problems are being ignored while legislators and school administrators chase down incidents common to any group of people interacting with each other, especially children and teens.

Gen. Keith Alexander and his senior leadership team at the National Security Agency are angry and dispirited by what they see as the White House's failure to defend the spy agency against criticism of its surveillance programs, according to four people familiar with the NSA chiefs' thinking. The top brass of the country's biggest spy agency feels they've been left twisting in the wind, abandoned by the White House and left largely to defend themselves in public and in Congress against allegations of unconstitutional spying on Americans.

Former intelligence officials closely aligned with the NSA criticized President Obama for saying little publicly to defend the agency, and for not emphasizing that some leaked or officially disclosed documents arguably show the NSA operating within its legal authorities.

"There has been no support for the agency from the President or his staff or senior administration officials, and this has not gone unnoticed by both senior officials and the rank and file at the Fort," said Joel Brenner, the NSA's one-time inspector general, referring to the agency's headquarters at Ft. Meade, Maryland.

Of course, one response to this is: too bad. Perhaps if the NSA didn't keep pushing the boundaries further and further out, and there were more courageous folks like Ed Snowden willing to speak up and say "what we're doing is wrong," those NSA employees wouldn't be dealing with this mess. And, of course, you'd hope that the NSA would employ grown ups who don't get all mopey because the President has other things to focus on.

While the President has defended the NSA programs a few times (on TV programs such as Charlie Rose and Leno, as well as in that one press conference in August), it is true that most of the defending has come directly from intelligence officials themselves, including Keith Alexander and James Clapper, as well as the NSA's big defenders in Congress. The higher ups within the administration have been fairly quiet. And, apparently what's pissing off many in Ft. Meade is that President Obama had embraced them so closely since he came to office. Despite expressing some skepticism about these kinds of activities while he was running for office, once he got into the White House, Obama's "embrace of the dark world of spycraft has been near-absolute."

Of course, some might argue in response that there's really not much else that the President can do at this moment. He's given a few statements about it, set up the ridiculous weak "review" board, and then has kind of had his hands full with things like Syria and a government shut down -- both of which are, certainly, issues that deserve his attention. The article quotes Brenner again, saying that the President should have gone to Ft. Meade and given them a pep talk. That seems a bit silly to me. If NSA employees need pep talks to keep morale up, it seems like they're in the wrong business.

"The President is uncomfortable defending this. Maybe he spends too much time reading blogs on the left," Baker said. "That's fatal in cases like this. You have to make the case because nobody else will."

Yeah. It's those damn lefty blogs that are the problem (ignoring, of course, how much of the outcry have come from right-leaning and libertarian blogs). Of course, there is the possibility that President Obama is legitimately embarrassed over having the NSA's excesses come out. A couple years ago, we highlighted famed whistleblower Daniel Ellsberg talking about President Obama's response to whistleblowing (the discussion was about Wikileaks), and he speculated that Obama's incredible devotion to secrecy when it came to civil liberties violations and leaks might be because of pure embarrassment. As he noted, President Bush didn't care much for civil liberties, but he also was fairly upfront about that fact. President Obama, however, acted as if he did care about civil liberties, while behaving in a very different manner. Thus, it's entirely possible, as Ellsberg speculated years ago, President Obama is happy to do all of this so long as it stays secret. The second any of it comes out, he's ashamed by his own actions -- which might explain the less than full-throated support for these actions.

Still, as others point out in the FP article, if the rift is really that big, it's somewhat surprising that the President hasn't yet thrown either Alexander or Clapper under the bus, giving him the opportunity to pretend to blame them alone for the overreach. The President has already made the ridiculous claim that he only finds out what the NSA is doing from the press, so he could easily argue that the agencies have gone "rogue" and get rid of the leaders. But he hasn't done that.

Still, the potential of a growing rift between the White House and the intelligence community is worth watching as new bills are proposed to curb those agencies' excesses.

from the better-late-than-never dept

We've written a few times about how the author of the PATRIOT Act, Jim Sensenbrenner, has insisted that the bill was written specifically to prevent the kind of datamining we now know the NSA pretends the law authorized. However, as some have pointed out, for a decade, plenty of people have directly raised these kinds of concerns (without knowing the specifics of what the NSA was doing) to Sensenbrenner about how "his" PATRIOT Act could be abused -- and he brushed them off or ignored it every single time.

However, now that he seems to realize what's happening (though, without apologizing for his earlier attacks on those who raised questions about the PATRIOT Act), he's finally getting ready to introduce new legislation, dubbed the USA Freedom Act, to try to clearly restrain the activities of the NSA. According to the Guardian, who has seen a draft of the bill, the bill will do a few things:

It seeks to limit the collection of phone records to known terrorist suspects; to end "secret laws" by making courts disclose surveillance policies; to create a special court advocate to represent privacy interests; and to allow companies to disclose how many requests for users' information they receive from the USA. The bill also tightens up language governing overseas surveillance to remove a loophole which it has been abused to target internet and email activities of Americans.

All of these are good things -- and all are items that we've been focusing on for quite some time. Plus, there's this:

Sensenbrenner also called for the prosecution of Obama's director of national intelligence, James Clapper, who admitted misleading the Senate intelligence committee about the extent of bulk collection of telephone records.

"Oversight only works when the agency that oversight is directed at tells the truth, and having Mr Clapper say he gave the least untruthful answer should, in my opinion, have resulted in a firing and a prosecution," said the congressman.

While it may have taken a bit too long in our opinion, it's good to see Rep. Sensenbrenner taking a strong stand against the Intelligence Communities abuses. Hopefully, the next time civil liberties advocates raise issues like this, he won't be so dismissive.

The National Security Agency’s director said Tuesday he is open to storing telephone records in a neutral “repository” to alleviate concerns about government snooping.

General Keith Alexander, speaking about the controversy over bulk collection of phone “metadata” said his personal view is that more transparency would help restore public trust in the secret intelligence service.

“I believe it is in our nation’s best interest to put all this phone data into a repository where you the American people know what we are doing with it,” Alexander told a cybersecurity forum sponsored by the news organization Politico.

“I’m open for greater transparency. I’m open for where we put the data.”

Well, that would be all well and good except for the fact that the data itself comes from "neutral" sites, or at least sites that were neutral before they were approached by the government. It was already stored at neutral sites. If the NSA would just stop collecting the data, it would remain at neutral sites.

Storing the collection at a neutral site is meaningless unless there's complete transparency about the NSA's access. To date, the NSA hasn't been interested in sharing those details. It prevents the companies it taps into from providing any details to the public about the collections.

No abuse can be prevented and no concerns "alleviated" if the entity handling the neutral storage can't openly discuss what sort of inquiries are taking place. Let's not forget the FBI so thoroughly abused the system that its inquiries devolved from requiring warrants to the issuance of an unlimited amount of National Security Letters and "exigent circumstances" claims to Post-It notes to simply copying down info while staring over the shoulder of a telco employee running searches for it.

With nothing in place to prevent the neutral site from being abused in the same fashion as every neutral site the NSA harvests data from, the slight nod towards transparency is worthless. Keeping the phone metadata away from the NSA's fire-prone servers probably sounds like a huge concession to Gen. "Collect all the data!" Alexander, but to anyone outside the system, it just sounds like off-site storage -- storage that will be accessed with the same frequency and same lack of oversight as the NSA's proprietary data banks.

This is what the NSA feels is a "concession" and the only reason it's being offered is because there's a chance that its bulk records collections may actually be cut off. Alexander points out that the NSA will still need to have access to "deal with any terrorist threat from overseas." This would presumably be on-demand whenever the agency feels the collection might contain "relevant" data. In other words, nothing changes but the address.

I can't even offer Alexander an E for effort here. Changing the venue to a "neutral site" (like, say, AT&T? Or a Redmond address?) does nothing for transparency or privacy. As long as the whole process is subject to gag orders and layers of secrecy, the NSA can continue to perform its spying efforts completely unimpeded.

from the well,-look-at-that dept

For pretty much the entire history of the mobile phone business, your choice of service providers was mostly dependent on trying to find the least evil provider. They all played the same awful tricks designed to make you pay more -- and to hate your service provider in the process. Could it possibly be that T-Mobile has finally decided that it's going to become the brand that completely shakes that up? Last year we wrote about the company killing off the abusive practice of long term contracts combined with subsidies that actually made you pay much more for your phone while making people think they were paying less. And now they've hit back on one of the other favorite gouging places for mobile phone carriers: positively insane international roaming fees that resulted in numerous stories of people suddenly receiving bills over $10,000.

T-Mobile's response isn't to just lower the international roaming fees, it's to get rid of them completely, replacing them with free data access in most countries, and relatively cheap phone calls. The free data plan is fairly slow, but you can upgrade to pay for a faster plan at non-crazy rates (about $15/day -- which is actually less than many hotels charge for WiFi). While other mobile carriers have "international plans" it looks like, even if you're paying up for the "higher levels" of service, T-Mobile's plans will come out significantly cheaper than any competitor.

I'm not sure my brain can process the idea of a mobile phone company that doesn't suck and focus on customer disservice over customer utility.